From 306b6615cf00a77e39fb27b69653a2a5d24ce5f8 Mon Sep 17 00:00:00 2001 From: aaronagent <1115117931@qq.com> Date: Sun, 28 Jun 2026 19:09:33 -0700 Subject: [PATCH] fix(agent): limit .hermes.md parent walk to git repos only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit _find_hermes_md walks parent directories looking for .hermes.md/HERMES.md, stopping at the git root. But when there is no git repo (_find_git_root returns None), the stop guard never fires and the loop walks all the way to /. On shared systems (CI runners, multi-tenant servers), a .hermes.md planted at /tmp, /home, or / would be loaded into the system prompt of any agent session not inside a git repo — a cross-user prompt-injection vector. Fix: when there is no git root, only check cwd; do not walk parents. Co-authored-by: Teknium <127238744+teknium1@users.noreply.github.com> --- agent/prompt_builder.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/agent/prompt_builder.py b/agent/prompt_builder.py index 319be7255e2..3ec4a40b392 100644 --- a/agent/prompt_builder.py +++ b/agent/prompt_builder.py @@ -88,12 +88,15 @@ def _find_hermes_md(cwd: Path) -> Optional[Path]: stop_at = _find_git_root(cwd) current = cwd.resolve() - for directory in [current, *current.parents]: + # When there is no git root, only check cwd itself – walking parents + # could pick up a .hermes.md planted in /tmp, /home, etc. + search_dirs = [current, *current.parents] if stop_at else [current] + + for directory in search_dirs: for name in _HERMES_MD_NAMES: candidate = directory / name if candidate.is_file(): return candidate - # Stop walking at the git root (or filesystem root). if stop_at and directory == stop_at: break return None